Add ability to configure Neutron FWaaS

This patch adds a release note, documentation and an automated
determination of whether the Horizon panel for FWaaS should be
enabled.

Re-Implementation-Of: https://review.openstack.org/#/c/275894/9

Depends-On: I682171333328e42895ec1a4d2d0cc5d2b2fcdcd9
Depends-On: Ic046cc9815f7b9c86a52fd75e7c796ecacc9e083
Change-Id: Iabfaa3d755bc2badae85325e3c6d477f4f2d620c
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

doc/source/install-guide/configure-fwaas.rst

@@ -0,0 +1,57 @@
+`Home <index.html>`_ OpenStack-Ansible Installation Guide
+
+Configuring the Network Firewall Service (Optional)
+---------------------------------------------------
+
+The OpenStack Networking Service, Neutron, includes a Firewall as a
+Service (FWaaS) offering. This service lets you configure a firewall that
+runs outside of your instances and filters traffic from the router.
+
+The following procedure describes how to modify the
+``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.
+
+#. Override the default list of Neutron plugins to include
+   ``firewall``:
+
+   .. code-block:: yaml
+
+      neutron_plugin_base:
+        - firewall
+        - ...
+
+#. The complete `neutron_plugin_base`, at the time of this writing, is as follows:
+
+   .. code-block:: yaml
+
+      neutron_plugin_base:
+         - router
+         - firewall
+         - lbaas
+         - vpnaas
+         - metering
+         - qos
+
+#. Execute the Neutron install playbook in order to update the configuration:
+
+   .. code-block:: shell-session
+
+       # cd /opt/openstack-ansible/playbooks
+       # openstack-ansible os-neutron-install.yml
+
+#. Execute the Horizon install playbook in order to update the Horizon
+   configuration to show the FWaaS panels:
+
+   .. code-block:: shell-session
+
+       # cd /opt/openstack-ansible/playbooks
+       # openstack-ansible os-horizon-install.yml
+
+The FWaaS default configuration options may be changed through the
+`conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
+dict.
+
+.. _conf override: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html
+
+--------------
+
+.. include:: navigation.txt

doc/source/install-guide/configure.rst

@@ -21,6 +21,7 @@ Chapter 4. Deployment configuration
    configure-aodh.rst
    configure-keystone.rst
    configure-lbaas.rst
+   configure-fwaas.rst
    configure-openstack.rst
    configure-sslcertificates.rst
    configure-configurationintegrity.rst

playbooks/inventory/group_vars/hosts.yml

@@ -229,6 +229,7 @@ horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is de
 # LBaaS panels are working only for LBaaS v1 at this time.
 #TODO(odyssey4me): Remove the classpath from this conditional in the Newton cycle.
 horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and ('lbaas' in neutron_plugin_base or 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin' in neutron_plugin_base) %}True{% else %}False{% endif %}"
+horizon_enable_neutron_fwaas: "{% if neutron_plugin_base is defined and 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
 horizon_rabbitmq_userid: horizon
 horizon_rabbitmq_vhost: /horizon
 

releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
+    configured. Please see the `FWaaS Configuration Reference
+    <http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
+    for details about the what the service is and what it provides. See the
+    `FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
+    for implementation details.
+upgrade:
+  - Database migration tasks have been added for the FWaaS neutron plugin.
+security:
+  - When enabled, Neutron Firewall as a Service (FWaaS) provides projects the
+    option to implement perimeter security (filtering at the router), adding to
+    filtering at the instance interfaces which is provided by 'Security
+    Groups'.